Share this on:

Why Google's data collection snafu could be good for Gmail

Unlike most other web-based e-mail services, Gmail uses a high-security protocol at all times.

STORY HIGHLIGHTS

Gmail has a security mechanism that helps prevent hackers from accessing passwords

Hotmail added such a security method as an option for users last week

Yahoo Mail doesn't provide the always-on security feature

(CNN) -- Google disclosed recently that its Street View project had inadvertently collected personal data, and the company has faced an onslaught of investigations from two U.S. federal agencies and several European governments.

But in a strange irony, Google's blunder could reflect favorably on Gmail, the Mountain View, California, company's advertising-supported e-mail service.

Google faces scrutiny, most recently from the Federal Communications Commission last week, for logging e-mails and passwords that its Street View cars found floating on unprotected Wi-Fi networks.

But had those people been using Gmail, their data probably would have been safe.

Gmail is the only major Web-based e-mail client that uses a high-security standard, called Secure Sockets Layer, by default at all times. It's been doing so since January and has offered the feature in some capacity since it launched in 2004.

Last week, Microsoft added a full-session security option to Hotmail, its e-mail service. Customers of Hotmail, which research firm Compete says is the second-largest Web mail client in the U.S., can enable the security feature in their settings page.

Most browsers note when a site is using security with an image that looks like a padlock, or with the string "https" preceding the Web address. Most banking websites use this security mechanism.

Yahoo Mail, the largest in the U.S., only uses "https" during login and when users are manipulating settings in order to prevent usernames and passwords from being easily snatched by nearby hackers. Hotmail works the same way for those who haven't activated the always-on feature.

Similarly, Facebook and Twitter send login credentials over a secure line and then revert to an unsecure protocol. (Users of those social networks can add an "s" after "http" to force the systems to encrypt their browsing.) Social networking sites are where people increasingly conduct private conversations, whether through Facebook's Messages or Twitter's Direct Message feature.

This common method encrypts usernames and passwords, but reverts to the normal Web protocol, HTTP, for everything else. That makes those messages vulnerable to interception by others on the same Wi-Fi network. When on a password-secure Wi-Fi Protected Access (WPA) point, messages sent to and from unprotected websites are safer, but not as safe as when sites enable security on their end, experts say.

"With a little motivation and not much skill, it's fairly trivial to sniff HTTP traffic," said Alan Ross, the lead security analyst for Intel IT, noting there are free and easily attainable programs that can do just that.

"Maybe I want to see all web traffic for Facebook because I want to see what the interesting person across the cafe is updating on Facebook," he said.

Furthermore, someone can gain access to an e-mail or social network account using sniffing methods, without needing that person's password.

Websites install a "cookie" file on a user's computer, which includes a unique string of letters and numbers that make up the session ID. When that file is sent over an unsecure connection, it can be intercepted and used to access an account.

"Ideally, we'd like to see HTTPS enabled by just about every website," Ross said. "Don't use HTTP for anything that you don't want anyone else to see," he advised site operators.

"That's what they should be doing," added Toby Kohlenberg, a senior security specialist for Intel IT. "But that's not what the majority of them are doing."

A Google spokesman said the company figured out a way to do it without noticeably slowing the process. In addition to Gmail's always-on security, Google offers HTTPS for many of its apps, including a beta version of the search engine called Google with SSL.